[....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting file context maintaining daemon: restorecond[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 syzkaller login: [ 33.674575] random: sshd: uninitialized urandom read (32 bytes read) [ 33.911555] kauditd_printk_skb: 9 callbacks suppressed [ 33.911564] audit: type=1400 audit(1569042103.223:35): avc: denied { map } for pid=6863 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1 [ 33.968912] random: sshd: uninitialized urandom read (32 bytes read) [ 34.479321] random: sshd: uninitialized urandom read (32 bytes read) Warning: Permanently added '10.128.0.37' (ECDSA) to the list of known hosts. [ 40.209211] urandom_read: 1 callbacks suppressed [ 40.209217] random: sshd: uninitialized urandom read (32 bytes read) [ 40.333529] audit: type=1400 audit(1569042109.643:36): avc: denied { map } for pid=6876 comm="syz-executor991" path="/root/syz-executor991768102" dev="sda1" ino=16484 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 [ 40.611054] IPVS: ftp: loaded support on port[0] = 21 [ 41.415017] chnl_net:caif_netlink_parms(): no params data found [ 41.443450] bridge0: port 1(bridge_slave_0) entered blocking state [ 41.450153] bridge0: port 1(bridge_slave_0) entered disabled state [ 41.457228] device bridge_slave_0 entered promiscuous mode [ 41.464087] bridge0: port 2(bridge_slave_1) entered blocking state [ 41.470580] bridge0: port 2(bridge_slave_1) entered disabled state [ 41.477386] device bridge_slave_1 entered promiscuous mode [ 41.492636] bond0: Enslaving bond_slave_0 as an active interface with an up link [ 41.501348] bond0: Enslaving bond_slave_1 as an active interface with an up link [ 41.516679] IPv6: ADDRCONF(NETDEV_UP): team_slave_0: link is not ready [ 41.524029] team0: Port device team_slave_0 added [ 41.529367] IPv6: ADDRCONF(NETDEV_UP): team_slave_1: link is not ready [ 41.536523] team0: Port device team_slave_1 added [ 41.542043] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_0: link is not ready [ 41.549157] IPv6: ADDRCONF(NETDEV_UP): bridge_slave_1: link is not ready [ 41.602094] device hsr_slave_0 entered promiscuous mode [ 41.670575] device hsr_slave_1 entered promiscuous mode [ 41.720709] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_0: link is not ready [ 41.727602] IPv6: ADDRCONF(NETDEV_UP): hsr_slave_1: link is not ready [ 41.739928] bridge0: port 2(bridge_slave_1) entered blocking state [ 41.746362] bridge0: port 2(bridge_slave_1) entered forwarding state [ 41.753235] bridge0: port 1(bridge_slave_0) entered blocking state [ 41.759563] bridge0: port 1(bridge_slave_0) entered forwarding state [ 41.785218] IPv6: ADDRCONF(NETDEV_UP): bond0: link is not ready [ 41.792119] 8021q: adding VLAN 0 to HW filter on device bond0 [ 41.799541] IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready [ 41.807483] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 41.826549] bridge0: port 1(bridge_slave_0) entered disabled state [ 41.833628] bridge0: port 2(bridge_slave_1) entered disabled state [ 41.843112] IPv6: ADDRCONF(NETDEV_UP): team0: link is not ready [ 41.849170] 8021q: adding VLAN 0 to HW filter on device team0 [ 41.857130] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 41.865136] bridge0: port 1(bridge_slave_0) entered blocking state [ 41.871512] bridge0: port 1(bridge_slave_0) entered forwarding state [ 41.880916] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 41.888430] bridge0: port 2(bridge_slave_1) entered blocking state [ 41.894810] bridge0: port 2(bridge_slave_1) entered forwarding state [ 41.907586] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_0: link becomes ready [ 41.915254] IPv6: ADDRCONF(NETDEV_CHANGE): team0: link becomes ready [ 41.924671] IPv6: ADDRCONF(NETDEV_CHANGE): team_slave_1: link becomes ready [ 41.937201] hsr0: Slave A (hsr_slave_0) is not up; please bring it up to get a fully working HSR network [ 41.947484] hsr0: Slave B (hsr_slave_1) is not up; please bring it up to get a fully working HSR network [ 41.959588] IPv6: ADDRCONF(NETDEV_UP): hsr0: link is not ready [ 41.966243] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 41.973996] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 41.981425] IPv6: ADDRCONF(NETDEV_CHANGE): hsr0: link becomes ready executing program [ 41.992695] IPv6: ADDRCONF(NETDEV_UP): vxcan1: link is not ready [ 42.001927] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 42.150691] ================================================================== [ 42.158161] BUG: KASAN: use-after-free in tcp_init_tso_segs+0x1ae/0x200 [ 42.165069] Read of size 2 at addr ffff8880979e6030 by task syz-executor991/6877 [ 42.172578] [ 42.174188] CPU: 1 PID: 6877 Comm: syz-executor991 Not tainted 4.14.145 #0 [ 42.181175] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 42.190534] Call Trace: [ 42.193124] dump_stack+0x138/0x197 [ 42.196753] ? tcp_init_tso_segs+0x1ae/0x200 [ 42.201141] print_address_description.cold+0x7c/0x1dc [ 42.206662] ? tcp_init_tso_segs+0x1ae/0x200 [ 42.211061] kasan_report.cold+0xa9/0x2af [ 42.215201] __asan_report_load2_noabort+0x14/0x20 [ 42.220109] tcp_init_tso_segs+0x1ae/0x200 [ 42.224321] ? tcp_tso_segs+0x7d/0x1c0 [ 42.228202] tcp_write_xmit+0x15e/0x4960 [ 42.232254] ? tcp_v4_md5_lookup+0x23/0x30 [ 42.236478] ? tcp_established_options+0x2c5/0x420 [ 42.241384] ? tcp_current_mss+0x1dc/0x2f0 [ 42.245612] ? __alloc_skb+0x3ee/0x500 [ 42.249498] __tcp_push_pending_frames+0xa6/0x260 [ 42.254317] tcp_send_fin+0x17e/0xc40 [ 42.258097] tcp_close+0xcc8/0xfb0 [ 42.261613] ? __sock_release+0x89/0x2b0 [ 42.265650] ? ip_mc_drop_socket+0x1d6/0x230 [ 42.270040] inet_release+0xec/0x1c0 [ 42.273730] __sock_release+0xce/0x2b0 [ 42.277602] ? __sock_release+0x2b0/0x2b0 [ 42.281734] sock_close+0x1b/0x30 [ 42.285165] __fput+0x275/0x7a0 [ 42.288524] ____fput+0x16/0x20 [ 42.291783] task_work_run+0x114/0x190 [ 42.295662] do_exit+0x7df/0x2c10 [ 42.299103] ? mm_update_next_owner+0x5d0/0x5d0 [ 42.303756] ? up_read+0x1a/0x40 [ 42.307098] ? __do_page_fault+0x358/0xb80 [ 42.311313] do_group_exit+0x111/0x330 [ 42.315178] SyS_exit_group+0x1d/0x20 [ 42.318956] ? do_group_exit+0x330/0x330 [ 42.323006] do_syscall_64+0x1e8/0x640 [ 42.326880] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 42.331718] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 42.336886] RIP: 0033:0x440b38 [ 42.340072] RSP: 002b:00007fffb5be4838 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 42.347755] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 0000000000440b38 [ 42.355533] RDX: 0000000000000001 RSI: 000000000000003c RDI: 0000000000000001 [ 42.362802] RBP: 00000000004c6fd0 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 42.370063] R10: 0000000020000804 R11: 0000000000000246 R12: 0000000000000001 [ 42.377314] R13: 00000000006d95e0 R14: 0000000000000000 R15: 0000000000000000 [ 42.384573] [ 42.386182] Allocated by task 6877: [ 42.389806] save_stack_trace+0x16/0x20 [ 42.393758] save_stack+0x45/0xd0 [ 42.397199] kasan_kmalloc+0xce/0xf0 [ 42.400893] kasan_slab_alloc+0xf/0x20 [ 42.404755] kmem_cache_alloc_node+0x144/0x780 [ 42.409313] __alloc_skb+0x9c/0x500 [ 42.412931] sk_stream_alloc_skb+0xb3/0x780 [ 42.417247] tcp_sendmsg_locked+0xf61/0x3200 [ 42.421650] tcp_sendmsg+0x30/0x50 [ 42.425169] inet_sendmsg+0x122/0x500 [ 42.428949] sock_sendmsg+0xce/0x110 [ 42.432640] SYSC_sendto+0x206/0x310 [ 42.436329] SyS_sendto+0x40/0x50 [ 42.439763] do_syscall_64+0x1e8/0x640 [ 42.443712] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 42.448901] [ 42.450525] Freed by task 6877: [ 42.453786] save_stack_trace+0x16/0x20 [ 42.457739] save_stack+0x45/0xd0 [ 42.461170] kasan_slab_free+0x75/0xc0 [ 42.465073] kmem_cache_free+0x83/0x2b0 [ 42.469037] kfree_skbmem+0x8d/0x120 [ 42.472744] __kfree_skb+0x1e/0x30 [ 42.476264] tcp_remove_empty_skb.part.0+0x231/0x2e0 [ 42.481367] tcp_sendmsg_locked+0x1ced/0x3200 [ 42.485839] tcp_sendmsg+0x30/0x50 [ 42.489355] inet_sendmsg+0x122/0x500 [ 42.493151] sock_sendmsg+0xce/0x110 [ 42.496839] SYSC_sendto+0x206/0x310 [ 42.500530] SyS_sendto+0x40/0x50 [ 42.503962] do_syscall_64+0x1e8/0x640 [ 42.507837] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 42.512998] [ 42.514604] The buggy address belongs to the object at ffff8880979e6000 [ 42.514604] which belongs to the cache skbuff_fclone_cache of size 472 [ 42.527930] The buggy address is located 48 bytes inside of [ 42.527930] 472-byte region [ffff8880979e6000, ffff8880979e61d8) [ 42.539704] The buggy address belongs to the page: [ 42.544610] page:ffffea00025e7980 count:1 mapcount:0 mapping:ffff8880979e6000 index:0x0 [ 42.552728] flags: 0x1fffc0000000100(slab) [ 42.556939] raw: 01fffc0000000100 ffff8880979e6000 0000000000000000 0000000100000006 [ 42.564838] raw: ffffea000212a160 ffffea000228a3e0 ffff88821b7203c0 0000000000000000 [ 42.572707] page dumped because: kasan: bad access detected [ 42.578407] [ 42.580019] Memory state around the buggy address: [ 42.584934] ffff8880979e5f00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 42.592275] ffff8880979e5f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 42.599614] >ffff8880979e6000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 42.606950] ^ [ 42.611858] ffff8880979e6080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 42.619194] ffff8880979e6100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 42.626554] ================================================================== [ 42.633894] Disabling lock debugging due to kernel taint [ 42.641864] IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready [ 42.643504] Kernel panic - not syncing: panic_on_warn set ... [ 42.643504] [ 42.655838] CPU: 0 PID: 6877 Comm: syz-executor991 Tainted: G B 4.14.145 #0 [ 42.664167] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 42.673519] Call Trace: [ 42.676091] dump_stack+0x138/0x197 [ 42.679786] ? tcp_init_tso_segs+0x1ae/0x200 [ 42.684261] panic+0x1f2/0x426 [ 42.687445] ? add_taint.cold+0x16/0x16 [ 42.691402] ? ___preempt_schedule+0x16/0x18 [ 42.695794] kasan_end_report+0x47/0x4f [ 42.699763] kasan_report.cold+0x130/0x2af [ 42.703978] __asan_report_load2_noabort+0x14/0x20 [ 42.708885] tcp_init_tso_segs+0x1ae/0x200 [ 42.713124] ? tcp_tso_segs+0x7d/0x1c0 [ 42.717005] tcp_write_xmit+0x15e/0x4960 [ 42.721059] ? tcp_v4_md5_lookup+0x23/0x30 [ 42.725284] ? tcp_established_options+0x2c5/0x420 [ 42.730191] ? tcp_current_mss+0x1dc/0x2f0 [ 42.734405] ? __alloc_skb+0x3ee/0x500 [ 42.738269] __tcp_push_pending_frames+0xa6/0x260 [ 42.743092] tcp_send_fin+0x17e/0xc40 [ 42.746882] tcp_close+0xcc8/0xfb0 [ 42.750400] ? __sock_release+0x89/0x2b0 [ 42.754438] ? ip_mc_drop_socket+0x1d6/0x230 [ 42.758821] inet_release+0xec/0x1c0 [ 42.762525] __sock_release+0xce/0x2b0 [ 42.766389] ? __sock_release+0x2b0/0x2b0 [ 42.770516] sock_close+0x1b/0x30 [ 42.773949] __fput+0x275/0x7a0 [ 42.777205] ____fput+0x16/0x20 [ 42.780516] task_work_run+0x114/0x190 [ 42.784383] do_exit+0x7df/0x2c10 [ 42.787863] ? mm_update_next_owner+0x5d0/0x5d0 [ 42.792511] ? up_read+0x1a/0x40 [ 42.795854] ? __do_page_fault+0x358/0xb80 [ 42.800074] do_group_exit+0x111/0x330 [ 42.803943] SyS_exit_group+0x1d/0x20 [ 42.807717] ? do_group_exit+0x330/0x330 [ 42.811754] do_syscall_64+0x1e8/0x640 [ 42.815688] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 42.820525] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 42.825694] RIP: 0033:0x440b38 [ 42.828866] RSP: 002b:00007fffb5be4838 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 42.836553] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 0000000000440b38 [ 42.843816] RDX: 0000000000000001 RSI: 000000000000003c RDI: 0000000000000001 [ 42.851100] RBP: 00000000004c6fd0 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 42.858351] R10: 0000000020000804 R11: 0000000000000246 R12: 0000000000000001 [ 42.865774] R13: 00000000006d95e0 R14: 0000000000000000 R15: 0000000000000000 [ 42.874681] Kernel Offset: disabled [ 42.878310] Rebooting in 86400 seconds..